Re: [ire] New version (4) of the spec and new draft on DNRD (1)
Christopher Browne <cbbrowne@afilias.info> Thu, 13 December 2012 19:04 UTC
Return-Path: <cbbrowne@afilias.info>
X-Original-To: ire@ietfa.amsl.com
Delivered-To: ire@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 626E221F8A53 for <ire@ietfa.amsl.com>; Thu, 13 Dec 2012 11:04:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V+kSI4hCaEys for <ire@ietfa.amsl.com>; Thu, 13 Dec 2012 11:04:38 -0800 (PST)
Received: from outbound.afilias.info (outbound.afilias.info [66.199.183.4]) by ietfa.amsl.com (Postfix) with ESMTP id A1D0C21F8A4D for <ire@ietf.org>; Thu, 13 Dec 2012 11:04:38 -0800 (PST)
Received: from ms5.on1.afilias-ops.info ([10.109.8.9] helo=smtp.afilias.info) by outbound.afilias.info with esmtp (Exim 4.69) (envelope-from <cbbrowne@afilias.info>) id 1TjE5F-0006oe-6F for ire@ietf.org; Thu, 13 Dec 2012 19:04:37 +0000
Received: from mail-qa0-f70.google.com ([209.85.216.70]) by smtp.afilias.info with esmtps (TLSv1:RC4-SHA:128) (Exim 4.72) (envelope-from <cbbrowne@afilias.info>) id 1TjE5F-0001Gu-5y for ire@ietf.org; Thu, 13 Dec 2012 19:04:37 +0000
Received: by mail-qa0-f70.google.com with SMTP id hg5so5555341qab.1 for <ire@ietf.org>; Thu, 13 Dec 2012 11:04:32 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=FpguRQqs6jCcvpDpKXwCLFTLBFx/5cEUByh+MyrgXM4=; b=GSBlq1aQJAFcx7US7jcNRqzc47Il+gKlGMk2fUjZNmDXbqorMLcm1LeJRhvrJiDmoj 8gyouJ/Y7nFLhrnY1HZ9mPwL0ZSk4KAPcS1Nv4jtxzgDZnfWX//8aIES18rDWb7RabHN 7s0/aFJ3oJysSg+44K1rpXQRdQ026bjn9Sj98NS31jr2D8mhoPyIQWm+hG5MieaGbCWa KvKpE7vsq0Am3fCXf0Ec4hwJ2wp6bgPReLZh76+6tooiFfc5Vxd3gtfDz/3WOOHTXhUH tRJryXnN9uqlCUW+zdYQz7I8/71rTlbJDVRWxcAU8viORoNKjL2dlmyra2z51e7Lftas NAbw==
Received: by 10.229.78.216 with SMTP id m24mr308371qck.73.1355425472316; Thu, 13 Dec 2012 11:04:32 -0800 (PST)
MIME-Version: 1.0
Received: by 10.229.78.216 with SMTP id m24mr308368qck.73.1355425472155; Thu, 13 Dec 2012 11:04:32 -0800 (PST)
Received: by 10.49.13.106 with HTTP; Thu, 13 Dec 2012 11:04:31 -0800 (PST)
In-Reply-To: <C41D7AF7FCECBE44940E9477E8E70D7A0D740B8D@BRN1WNEXMBX02.vcorp.ad.vrsn.com>
References: <C41D7AF7FCECBE44940E9477E8E70D7A0D712FB6@BRN1WNEXMBX01.vcorp.ad.vrsn.com> <C41D7AF7FCECBE44940E9477E8E70D7A0D740B8D@BRN1WNEXMBX02.vcorp.ad.vrsn.com>
Date: Thu, 13 Dec 2012 14:04:31 -0500
Message-ID: <CANfbgbY8TatBaEOX=s-S3Hu9oMqk8JZ0XCNLohPjB4q3hXNOXA@mail.gmail.com>
From: Christopher Browne <cbbrowne@afilias.info>
To: "Gould, James" <JGould@verisign.com>
Content-Type: text/plain; charset="ISO-8859-1"
X-Gm-Message-State: ALoCoQlUIceUWtj5+o17413R7g4EsGg2h2lOGkjZxNmHzbEFxR4yDVAOqRvv83cWohYzL/tJ0ZfCmickfJzRtLfBIZDSWBMoLAb6zwJsZzTawaKRn0X5uaLu1HTB67AbKf7fWRl24rtk
Cc: "ire@ietf.org" <ire@ietf.org>
Subject: Re: [ire] New version (4) of the spec and new draft on DNRD (1)
X-BeenThere: ire@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Internet Registration Escrow discussion list." <ire.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ire>, <mailto:ire-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ire>
List-Post: <mailto:ire@ietf.org>
List-Help: <mailto:ire-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ire>, <mailto:ire-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Dec 2012 19:04:39 -0000
On Thu, Dec 13, 2012 at 11:16 AM, Gould, James <JGould@verisign.com> wrote: > > Gustavo, > > I noticed the following additional items with > draft-arias-noguchi-dnrd-objects-mapping-01: > > The description of the <crID> and <upID> should match what is in the EPP > RFC's. Specifically, change "identifier of the registrar" to "identifier of > the client". In our registries we have account users (verisign as well as > registrar) that are reflected in the <crID> and <upID> fields via the user's > user name (e.g. jgould). This is important to track exactly who took the > action, since actions can be taken outside of the EPP channel (Registrar > Tool, CSR Tool, batch) that should properly be reflected in the <crID> and > <upID> elements. Now the next logical question is whether there needs to be > a deposit for users to link the "client identifiers" to. I would imagine > that an EBERO provider would import the <crID> and <upID> fields as strings > and replace them (most likely using different fields) with real user > identifiers based on future updates to the objects. > The question is whether the authInfo should be escrowed at all since these > reflect secret passwords. Our system stores them encrypted and I don't > believe it is a good security practice to escrow them in a decrypted form or > even provide a tool that can decrypt them. I believe that the EBERO > provider recovering a registry from the data escrow deposit can generate new > random authorization info values and make them available in bulk to the > registrars or on-demand by the registrars submitting an EPP info command for > the objects. What are your thoughts with this? I largely concur... Yes, indeed, there will be some users that are not specifically registrars, so <crID> and <upID> are not strictly "registrars"; sometimes they will indicate registry operator agents that are not registrars. As for authinfo values, I'm a bit torn. On the one hand, there is a significant problem in changing authinfo values on the registrants, particularly when the registry operator may have no direct channel for communicating updates to the registrants. (This is most pointedly the case for "thin" registries where no contact information is captured in the registry!) However, as soon as we are in a situation of switching registry operators, there are distinctly too many agents that share the secret authinfo values. It has been our practice, when taking over operations of registries, to change all authinfo values. My instant, kneejerk recommendation upon receiving a dump of data for a registry is to say, "And we'll be replacing all the authinfos, right?" I observe that the authinfo values should be considered distinct from user authentication information for registrars; those are quite different things. I see what looks like conflation of the two things downthread.
- [ire] New version (4) of the spec and new draft o… Gustavo Lozano
- Re: [ire] New version (4) of the spec and new dra… Gould, James
- Re: [ire] New version (4) of the spec and new dra… Francisco Obispo
- Re: [ire] New version (4) of the spec and new dra… Gould, James
- Re: [ire] New version (4) of the spec and new dra… Francisco Obispo
- Re: [ire] New version (4) of the spec and new dra… Gould, James
- Re: [ire] New version (4) of the spec and new dra… Francisco Obispo
- Re: [ire] New version (4) of the spec and new dra… Christopher Browne
- Re: [ire] New version (4) of the spec and new dra… Gould, James
- Re: [ire] New version (4) of the spec and new dra… Francisco Obispo
- Re: [ire] New version (4) of the spec and new dra… Gould, James
- Re: [ire] New version (4) of the spec and new dra… Francisco Obispo
- Re: [ire] New version (4) of the spec and new dra… Francisco Obispo
- Re: [ire] New version (4) of the spec and new dra… Hollenbeck, Scott
- Re: [ire] New version (4) of the spec and new dra… Gould, James
- Re: [ire] New version (4) of the spec and new dra… Francisco Obispo
- Re: [ire] New version (4) of the spec and new dra… Gould, James
- Re: [ire] New version (4) of the spec and new dra… Francisco Obispo
- Re: [ire] New version (4) of the spec and new dra… Hollenbeck, Scott
- Re: [ire] New version (4) of the spec and new dra… Francisco Obispo